| Message ID | 20241023184829.2216595-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | openssl: upgrade 3.3.1 -> 3.4.0 | expand |
On Wed, 2024-10-23 at 20:48 +0200, Peter Marko via lists.openembedded.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > Release information: > https://github.com/openssl/openssl/blob/openssl-3.4/NEWS.md#major-changes-between-openssl-33-and-openssl-340-22-oct-2024 > > Handles CVE-2024-9143 > > Refreshed patches. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > ...ke-history-reporting-when-test-fails.patch | 53 ++++++++----------- > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- > ...sysroot-and-debug-prefix-map-from-co.patch | 4 +- > .../{openssl_3.3.1.bb => openssl_3.4.0.bb} | 2 +- > 4 files changed, 28 insertions(+), 35 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.3.1.bb => openssl_3.4.0.bb} (99%) Unfortunately this causes a regression in python3's ptest: https://valkyrie.yoctoproject.org/#/builders/73/builds/270 I did revert this patch and tested a build and that passes so it is definitely from here. I'm trying this in conjunction with the python 3.13 upgrade which might let us fix this for master but if so, the problem for styhead and earlier will probably remain. There was a related python bug: https://github.com/python/cpython/issues/87743 Copying Steve so he knows that gremlins lurk here... Cheers, Richard
On Thu, 2024-10-24 at 09:19 +0100, Richard Purdie via lists.openembedded.org wrote: > On Wed, 2024-10-23 at 20:48 +0200, Peter Marko via > lists.openembedded.org wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > Release information: > > https://github.com/openssl/openssl/blob/openssl-3.4/NEWS.md#major-changes-between-openssl-33-and-openssl-340-22-oct-2024 > > > > Handles CVE-2024-9143 > > > > Refreshed patches. > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > ...ke-history-reporting-when-test-fails.patch | 53 ++++++++------- > > ---- > > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- > > ...sysroot-and-debug-prefix-map-from-co.patch | 4 +- > > .../{openssl_3.3.1.bb => openssl_3.4.0.bb} | 2 +- > > 4 files changed, 28 insertions(+), 35 deletions(-) > > rename meta/recipes-connectivity/openssl/{openssl_3.3.1.bb => > > openssl_3.4.0.bb} (99%) > > Unfortunately this causes a regression in python3's ptest: > > https://valkyrie.yoctoproject.org/#/builders/73/builds/270 > > I did revert this patch and tested a build and that passes so it is > definitely from here. > > I'm trying this in conjunction with the python 3.13 upgrade which > might > let us fix this for master but if so, the problem for styhead and > earlier will probably remain. > > There was a related python bug: > > https://github.com/python/cpython/issues/87743 > > Copying Steve so he knows that gremlins lurk here... The 3.13 upgrade doesn't help so we're going to need to resolve the ptest issue somehow to merge this... Cheers, Richard
> -----Original Message----- > From: Richard Purdie <richard.purdie@linuxfoundation.org> > Sent: Thursday, October 24, 2024 12:14 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; > openembedded-core@lists.openembedded.org; Steve Sakoman > <steve@sakoman.com> > Subject: Re: [OE-core][PATCH] openssl: upgrade 3.3.1 -> 3.4.0 > > On Thu, 2024-10-24 at 09:19 +0100, Richard Purdie via > lists.openembedded.org wrote: > > On Wed, 2024-10-23 at 20:48 +0200, Peter Marko via > > lists.openembedded.org wrote: > > > From: Peter Marko <peter.marko@siemens.com> > > > > > > Release information: > > > https://github.com/openssl/openssl/blob/openssl-3.4/NEWS.md#major- > changes-between-openssl-33-and-openssl-340-22-oct-2024 > > > > > > Handles CVE-2024-9143 > > > > > > Refreshed patches. > > > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > > --- > > > ...ke-history-reporting-when-test-fails.patch | 53 ++++++++------- > > > ---- > > > ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- > > > ...sysroot-and-debug-prefix-map-from-co.patch | 4 +- > > > .../{openssl_3.3.1.bb => openssl_3.4.0.bb} | 2 +- > > > 4 files changed, 28 insertions(+), 35 deletions(-) > > > rename meta/recipes-connectivity/openssl/{openssl_3.3.1.bb => > > > openssl_3.4.0.bb} (99%) > > > > Unfortunately this causes a regression in python3's ptest: > > > > https://valkyrie.yoctoproject.org/#/builders/73/builds/270 > > > > I did revert this patch and tested a build and that passes so it is > > definitely from here. > > > > I'm trying this in conjunction with the python 3.13 upgrade which > > might > > let us fix this for master but if so, the problem for styhead and > > earlier will probably remain. > > > > There was a related python bug: > > > > https://github.com/python/cpython/issues/87743 > > > > Copying Steve so he knows that gremlins lurk here... > > The 3.13 upgrade doesn't help so we're going to need to resolve the > ptest issue somehow to merge this... > > Cheers, > > Richard Richard, I was able to bisect openssl to https://github.com/openssl/openssl/commit/933f57dfe21657f7aba8f13e0cdb3b02dd64fcc3 When I revert this commit, then the python3-ptest succeeds also with openssl 3.4.0. I have created https://github.com/python/cpython/issues/125936 to inform cpython maintainers. I don't have enough knowledge to fix it myself but I think that the openssl commit breaking things should be great lead for someone else. During the investigation, I have also found 2 following problems with python: 1) when running ptest in core-image-minimal, there are two crashes in console (both with openssl 3.3.1 and 3.4.0): [ 91.482461] python3[8605]: segfault at 10 ip 00007f5b0760f561 sp 00007ffeda12c440 error 4 in libpython3.12.so.1.0[1ae561,7f5b07566000+23c000] likely on CPU 0 (core 0, socket 0) [ 91.485213] Code: 0f 1f 84 00 00 00 00 00 90 41 54 55 53 48 89 fb 66 48 8d 3d c9 d9 35 00 66 66 48 e8 79 90 f5 ff 4c 8b 25 ca d7 35 00 48 8b 00 <48> 8b 68 10 49 3b 6c 24 30 74 09 f6 85 b0 06 00 00 20 75 4b 48 8d [ 118.871057] python3[12214]: segfault at 10 ip 00007f7ad5dd2561 sp 00007f7ad50f7dd0 error 4 in libpython3.12.so.1.0[1ae561,7f7ad5d29000+23c000] likely on CPU 2 (core 2, socket 0) [ 118.873991] Code: 0f 1f 84 00 00 00 00 00 90 41 54 55 53 48 89 fb 66 48 8d 3d c9 d9 35 00 66 66 48 e8 79 90 f5 ff 4c 8b 25 ca d7 35 00 48 8b 00 <48> 8b 68 10 49 3b 6c 24 30 74 09 f6 85 b0 06 00 00 20 75 4b 48 8d 2) python ptest parsing is wrong, it detected only one from 8 test failures (see my cpython issue and ptest logs). Could someone create Bugzilla entries for these? Regards, Peter
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch index aa2e5bb800..31bbbd8679 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -7,26 +7,19 @@ Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] Signed-off-by: William Lyu <William.Lyu@windriver.com> --- - test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- + test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++---------- test/helpers/handshake.h | 70 +++++++++++++++++++- test/ssl_test.c | 44 +++++++++++++ - 3 files changed, 218 insertions(+), 35 deletions(-) + 3 files changed, 217 insertions(+), 34 deletions(-) diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c -index e0422469e4..ae2ad59dd4 100644 +index f611b3a..5703b48 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c -@@ -1,5 +1,5 @@ - /* -- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,102 @@ #include <netinet/sctp.h> #endif - + +/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ +/* Maps string names to various enumeration type */ +typedef struct { @@ -126,10 +119,10 @@ index e0422469e4..ae2ad59dd4 100644 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) { HANDSHAKE_RESULT *ret; -@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, +@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, SSL_set_post_handshake_auth(client, 1); } - + -/* The status for each connection phase. */ -typedef enum { - PEER_SUCCESS, @@ -142,10 +135,10 @@ index e0422469e4..ae2ad59dd4 100644 /* An SSL object and associated read-write buffers. */ typedef struct peer_st { SSL *ssl; -@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer) +@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer) } } - + -typedef enum { - HANDSHAKE, - RENEG_APPLICATION_DATA, @@ -160,10 +153,10 @@ index e0422469e4..ae2ad59dd4 100644 static int renegotiate_op(const SSL_TEST_CTX *test_ctx) { switch (test_ctx->handshake_mode) { -@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, +@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, } } - + -typedef enum { - /* Both parties succeeded. */ - HANDSHAKE_SUCCESS, @@ -180,10 +173,10 @@ index e0422469e4..ae2ad59dd4 100644 /* * Determine the handshake outcome. * last_status: the status of the peer to have acted last. -@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( - +@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + start = time(NULL); - + + save_loop_history(&(ret->history), + phase, status, server.status, client.status, + client_turn_count, client_turn); @@ -191,10 +184,10 @@ index e0422469e4..ae2ad59dd4 100644 /* * Half-duplex handshake loop. * Client and server speak to each other synchronously in the same process. -@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( +@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( 0 /* server went last */); } - + + save_loop_history(&(ret->history), + phase, status, server.status, client.status, + client_turn_count, client_turn); @@ -203,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644 case HANDSHAKE_SUCCESS: client_turn_count = 0; diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h -index 78b03f9f4b..b9967c2623 100644 +index 78b03f9..b9967c2 100644 --- a/test/helpers/handshake.h +++ b/test/helpers/handshake.h @@ -1,5 +1,5 @@ @@ -214,9 +207,9 @@ index 78b03f9f4b..b9967c2623 100644 * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,11 @@ - + #include "ssl_test_ctx.h" - + +#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4 +#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) +#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \ @@ -228,7 +221,7 @@ index 78b03f9f4b..b9967c2623 100644 @@ -22,6 +27,63 @@ typedef struct ctx_data_st { char *session_ticket_app_data; } CTX_DATA; - + +typedef enum { + HANDSHAKE, + RENEG_APPLICATION_DATA, @@ -296,25 +289,25 @@ index 78b03f9f4b..b9967c2623 100644 + /* handshake loop history */ + HANDSHAKE_HISTORY history; } HANDSHAKE_RESULT; - + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, CTX_DATA *server2_ctx_data, CTX_DATA *client_ctx_data); - + +const char *handshake_connect_phase_name(connect_phase_t phase); +const char *handshake_status_name(handshake_status_t handshake_status); +const char *handshake_peer_status_name(peer_status_t peer_status); + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ diff --git a/test/ssl_test.c b/test/ssl_test.c -index ea608518f9..9d6b093c81 100644 +index ea60851..9d6b093 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; /* Currently the section names are of the form test-<number>, e.g. test-15. */ #define MAX_TESTCASE_NAME_LENGTH 100 - + +static void print_handshake_history(const HANDSHAKE_HISTORY *history) +{ + size_t first_idx; diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 502a7aaf32..c7e9c9d96e 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com> 1 file changed, 10 deletions(-) diff --git a/Configure b/Configure -index 4569952..adf019b 100755 +index fff97bd..5ee54c1 100755 --- a/Configure +++ b/Configure -@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) +@@ -1529,16 +1529,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index bafdbaa46f..b8672735ab 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -38,7 +38,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl =================================================================== --- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl +++ openssl-3.0.4/Configurations/unix-Makefile.tmpl -@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl +@@ -502,13 +502,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -67,7 +67,7 @@ Index: openssl-3.0.4/crypto/build.info =================================================================== --- openssl-3.0.4.orig/crypto/build.info +++ openssl-3.0.4/crypto/build.info -@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF +@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h diff --git a/meta/recipes-connectivity/openssl/openssl_3.3.1.bb b/meta/recipes-connectivity/openssl/openssl_3.4.0.bb similarity index 99% rename from meta/recipes-connectivity/openssl/openssl_3.3.1.bb rename to meta/recipes-connectivity/openssl/openssl_3.4.0.bb index 3bc0153429..734e3c54ef 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.3.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.4.0.bb @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e" +SRC_URI[sha256sum] = "e15dda82fe2fe8139dc2ac21a36d4ca01d5313c75f99f46c4e8a27709b7294bf" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"